Query to calculate login success and failure rates

Venkatesh_Sridharan · April 21, 2021, 5:38am

Hello All,
I have a list of login events on the index which has the following fields.

ip_address: <text>
login_success: <bool>

Now I want to query the logs and get a count of number of success and failed logins from each IP address. Example output should look like the following

ip_address: 1.2.3.4
login_count: 45
failed_login: 50

ip_address: 2.5.6.8
login_count: 10
failed_login: 20

As you can see, there are totally 95 events from the IP address, 1.2.3.4 of which, 45 are success and 50 are failures. I can do a simple term aggregation to get the number 95 but I am not able to aggregate on success and failure separately. is there a way to achieve that in ES?

Let me know if I am not clear in my question. Thanks!

mayya · April 26, 2021, 12:45pm

You can achieve this by nesting filters aggregation inside terms aggregation on ip_address field. You query can look like something like this:

GET my_index/_search?size=0
{
  "aggs": {
    "ip_logs1": {
      "terms": {
        "field": "ip_address"
      },
      "aggs": {
        "ip_logs2": {
          "filters": {
            "filters": {
              "success": { "match": { "login_success": "true"}},
              "failure": {"match": { "login_success": "false"}}
            }
          }
        }
      }
    }
  }
}

system · May 24, 2021, 12:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline Aggregation and Counting Buckets Elasticsearch	1	632	April 18, 2019
Query to calculate successrate Elasticsearch	10	6819	September 29, 2017
Python3 query with large results, best approach Elasticsearch	11	1911	January 3, 2021
Aggregating Top hits results Elasticsearch	3	549	September 6, 2018
Aggs in DSL Elastic Security	7	317	December 14, 2023

Query to calculate login success and failure rates

Related Topics